backDistrict Court Grants Summary Judgment Against P.F. Chang’s In Cybersecurity Insurance Case – On June 13, 2016, the United States District Court for the District of Arizona granted summary judgment against P.F. Chang’s China Bistro, Inc. (“P.F. Chang’s”) in a cybersecurity insurance lawsuit that it brought against its insurer, Federal Insurance Company (“Federal”). On June 10, 2014, P.F. Chang’s discovered that it had suffered a data breach in which hackers improperly acquired the credit card numbers of approximately 60,000 of its customers and posted them on the Internet. That same day, P.F. Chang’s informed its cyber security insurer, Federal, of the breach. So far, Federal has reimbursed P.F. Chang’s more than $1,700,000 pursuant to the cybersecurity insurance policy (the “policy”) that it sold to P.F. Chang’s. That reimbursement has covered various costs associated with the breach, such as a forensic investigation and defending litigation initiated by customers whose credit card numbers were improperly obtained.
On March 2, 2015, MasterCard, a credit card issuer (the “issuer”), imposed three monetary assessments on P.F. Chang’s credit card servicer, Bank of America Merchant Services (“the servicer”), for costs associated with the breach: a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72, and a Case Management Fee of $50,000. Subsequently, pursuant to a master service agreement between the servicer and P.F. Chang’s, the servicer directed P.F. Chang’s to reimburse it for the assessments that the issuer had imposed. P.F. Chang’s reimbursed the servicer for the assessments; however, P.F. Chang’s then sought coverage for the reimbursement from Federal pursuant to the cybersecurity insurance policy. Federal denied coverage and P.F. Chang’s initiated a lawsuit.
There are two critical parts of the Court’s decision. First, the Court addresses the policy’s exclusion provisions and its definition of loss. According to Exclusion D.3.b, “[w]ith respect to all Insuring Clauses, [the insurer] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.” Under Exclusion B.2, “[w]ith respect to Insuring Clauses B through H, [the insurer] shall not be liable for . . . any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” Moreover, according to Insuring Clause A, loss does not include “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” The Court characterized the three exclusions that Federal asserted as sharing a single function—to bar coverage for contractual obligations an insured assumes with a third party outside of the Policy. The Court agreed with Federal’s contention that the assessments for which P.F. Chang’s sought coverage arose from liability assumed by P.F. Chang’s to the servicer and, therefore, they were excluded from coverage. P.F. Chang’s argued that the exclusions do not apply to obligations that the insured is responsible for absent any assumption of liability, but this was not an express exception to the exclusions in the contract. The Court held that contractual liability exclusions apply to the assumption of another’s liability, such as an agreement to indemnify or hold harmless. It concluded that P.F. Chang’s agreement with the servicer met this criteria and triggered the exclusions because in the master services agreement between P.F. Chang’s and the servicer, P.F. Chang’s agreed to reimburse or compensate the servicer for any fees, fines, penalties, or assessments imposed on the servicer by the issuer. Finally, the Court concluded that even if the law permits an exception, the policyholder did not direct the Court to any evidence in the record that P.F. Chang’s would have been liable for the assessments but for its agreement with the servicer.
The second critical component of the Court’s decision concerned a potential source of coverage other than the policy. Specifically, P.F. Chang’s argued that coverage also existed under the reasonable expectation doctrine. According to the Court, that doctrine applies only if two prerequisites are present. First, the insured’s “expectation of coverage must be objectively reasonable.” Second, the insurer “must have had reason to believe that the [insured] would not have purchased the . . . policy if . . . [the insured] had known that it included” the disputed provision. According to the Court, the record lacked any “supporting evidence that during the underwriting process P.F. Chang’s expected that coverage would exist for Assessments following a hypothetical data breach.” On that basis, the Court determined that the first prerequisite was absent. Therefore, the Court concluded that coverage did not exist pursuant to the reasonable expectation doctrine.
The law in the area of coverage for data breaches is still evolving as companies seek coverage under commercial general liability, cyber, crime, and other policies. This decision is noteworthy because of the Court’s examination of the issue of recovering for data breach losses under provisions of a specific cyber policy. Because these policies are all very different, companies are encouraged to examine the particular provisions of their own cyber policies and review any questions with coverage counsel.
A copy of the Court’s decision is available here.
Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, bryoung@kslaw.com.
Russian Intelligence Breaches Democratic National Committee Servers - Last week saw the announcement of yet another high-profile network breach. On June 14, 2016, the press reported that hackers had penetrated the Democratic National Committee’s (“DNC”) network for nearly a year. Most notably, the hackers had accessed and taken the opposition research database on Republican presidential candidate Donald Trump. The DNC denied that any financial, donor, or personal information was accessed or taken.
According to the DNC and CrowdStrike, the computer security firm that examined and shut down the breaches, the DNC’s system was breached by two different groups—one in summer 2015 and the other in April 2016. CrowdStrike described both groups as affiliated with Russian intelligence services. Russia has denied all involvement in the DNC hack. Days after the announcement, a hacker named Guccifer 2.0 claimed responsibility for the 2015 DNC breach, and claimed not to be connected to Russian intelligence. This hacker also disputed the claims that there had been no access to financial and donor information, and released documents purported to be donor spreadsheets and from Hillary Clinton’s files as Secretary of State. The authenticity of those files has not yet been confirmed.
The DNC has stood by its initial findings and implied that the posting by Guccifer 2.0 may be part of a Russian disinformation campaign to deflect blame. Nonetheless, the release raises questions about whether the DNC has a complete understanding of the extent of the breach or even whether there may have been yet another unrelated breach. In any event, this attack drives home the fact that hackers pose an ever-present threat to any organization’s data and networks.
Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com
Senate Creates Cybersecurity Caucus - On June 14, 2016, Senators Mark Warner (D-VA) and Cory Gardner (R-CO) announced the creation of the Senate Cybersecurity Caucus to help coordinate cybersecurity efforts across Senate committees and keep lawmakers and staffers up-to-date on cyber policy.
In their press release announcing the creation of the Caucus, Senator Gardner cited evolving cyber threats as a reason for starting the effort and a need for a “grand strategy” that is “adaptable to technological developments and the ever-changing cyber field.”
In his comments, Senator Warner characterized cybersecurity as “one of the most serious economic and national security challenges we face as a nation.” Senator Warner also pointed out the need for coordination in Congress on the issue, as nine Senate committees in the current Congress have held a range of hearings on the issue including on topics such as protecting taxpayer information from cyber theft, the development of deterrent technologies targeted at foreign actors, and the need to secure U.S. infrastructure against intrusion.
According to their press release, cyber-attacks account for up to $120 billion in economic and intellectual property loss annually in the United States and costs the average American firm more than $15 million per year. In an effort to address these attacks, the Cybersecurity Caucus will provide “unique opportunities to inform Senators on the major cyber policy issues facing Congress, introduce Senators and their staff to leading cybersecurity experts, and promote bipartisan and cross-jurisdictional discussions on this important issue.”
The Caucus mirrors a 2008 effort in the House of Representatives led by Congressman Jim Langevin (D-RI) and Congressman Mike McCaul (R-TX), Chairman of the House Homeland Security Committee, to provide a forum for members representing different committees of jurisdiction to discuss the challenges in securing cyberspace. The website for the House of Representatives Congressional Cybersecurity Caucus can be found here.
Reporter, Stephen Abreu, San Francisco, +1 415 318 1219, sabreu@kslaw.com
House Homeland Security Committee Holds Hearing On 2015 Cybersecurity Act - On June 15, 2016, the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing to examine industry perspectives on the implementation of the Cybersecurity Act of 2015 (“CISA” or the “Act”). The witnesses at the hearing were Mr. Matthew J. Eggers, Executive Director of Cybersecurity Policy, National Security and Emergency Preparedness, at the U.S. Chamber of Commerce; Mr. Robert H. Mayer, Vice President of Industry and State Affairs at the United States Telecom Association; Mr. Mark Clancy, Chief Executive Officer at Soltra; Mr. Mordecai Rosen, General Manager, Security Business Unit at CA Technologies; and Ms. Ola Sage, Founder and Chief Executive Officer at e-management.
Each witness expressed overall support of the Department of Homeland Security’s (“DHS”) implementation thus far, while still pointing out current concerns. Mr. Mayer noted that lingering questions concerning statutory liability protections for information sharing remained, but the industry and government are committed to addressing these questions.
In addition, Mr. Mayer expressed concerns regarding the implications of and potential conflicts with draft privacy rules that the Federal Communications Commission (the “FCC”) recently announced. Under CISA, an entity can share personal information if, at the time of sharing, that entity did not knowingly reveal personal information unrelated to the cyber-security threat. However, the FCC proposal would limit protection only to cases when the information sharing is shown to be “reasonably necessary.” Mr. Mayer ended his statement with a comment that they are currently working with the FCC to gain clarity on its proposal.
Mr. Clancy testified that DHS and the Department of Justice (“DOJ”) need to clarify that liability protection under the Act covers sharing between private parties and not just between industry and government. Representative John Ratcliffe (R-TX) resolved this later in the hearing when he noted that the DHS and DOJ released an information sharing guidance that morning titled, “Guidance to Assist Nonfederal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act,” which clarifies that the Act’s liability protections extends to sharing between nonfederal entities. Mr. Clancy also testified that DHS and DOJ should provide additional guidance on the definition of personally identifiable information (“PII”) given tension between definitions in DHS’s Automated Indicator Sharing (“AIS”) program guidance and with respect to other DHS programs.
Finally, Ms. Sage discussed in her testimony the issue that many small businesses are unaware of the Act. Currently, the Act is largely of interest to major corporations with greater infrastructure and resources. She believes the government can increase awareness of the law through its existing outreach programs.
Over 50 private companies and 24 federal agencies share critical information in the DHS National Coordination Center. In the hearing, the witnesses congratulated the DHS for the job they have done to date on the implementation. The main concerns brought forward during the hearing addressed the need for clarification on a few points in the Act and the need for increased awareness about the value of working with the DHS.
Witness prepared testimony and an archived webcast of the hearing can be found on the House Homeland Security website here.
Reporter, Jennifer Raghavan, +1 415 318 1234, jraghavan@kslaw.com
ALSO IN THE NEWS
Average Cost Of Data Breaches Estimated At $4 Million Worldwide, $7 Million In The U.S.
A new study published by IBM and the Ponemon Institute sets the average total cost of a data breach at $4 million. The study, based on a survey of 383 organizations in 12 countries, estimates that any given organization has a 26% chance of suffering a data breach involving at least 10,000 records. In the United States, the average total cost of a breach is $7.01 million, up from $6.53 million the prior year. For each record stolen, a data breach will cost a U.S. organization on average $221. The study also found that data breaches were most costly in the healthcare, educational, and financial industries. Nearly half of breaches were caused by malicious attacks (by hackers or criminal insiders), as opposed to human error or system malfunctions, which make up the rest. Malicious breaches, unsurprisingly, also impose the highest cost on organizations. The study also identified ways for an organization to reduce the cost of a data breach; the most effective were the implementation of an incident response team and the use of encryption extensively in the organization. The study is available here.